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1  Introduction 

1.1  Background 

SecureCore  is  a  research  project  funded  by  the  National  Science  Foundation  (NSF)  to 
investigate  the  fundamental  architectural  features  required  for  trustworthy  operation  of 
mobile  computing  devices  such  as  smart  cards,  embedded  controllers  and  hand-held 
computers.  The  goal  is  to  provide  secure  processing  and  communication  features  for 
resource-constrained  platforms,  without  compromise  of  performance,  size,  cost  or  energy 
consumption.  In  this  environment,  the  security  must  also  be  built-in,  transparent  and 
flexible. 

This  document  describes  the  interfaces  for  kernel  extension  modules  that  may  be 
incorporated  into  the  Trusted  Management  Layer  (TML),  specifically  the  Least  Privilege 
Separation  Kernel  (LPSK).  The  LPSK  is  composed  of  modules  which  are  used  as  the 
building  blocks  of  the  kernel  implementation,  these  modules  are  referred  to  as  core  kernel 
modules.  Kernel  extension  modules  are  separate  from  the  core  LPSK  modules,  providing 
additional  functionality.  Included  in  this  document  are  interfaces  that  the  LPSK  provides 
for  the  kernel  extension  modules  to  call,  as  well  as  interfaces  the  kernel  extension 
modules  present  for  the  LPSK  to  call  under  certain  circumstances. 

A  description  of  the  software  architecture  and  definitions  can  be  found  elsewhere  [1]. 

This  document  assumes  the  reader  is  familiar  with  the  architecture  and  terminology  of  the 
SecureCore  project. 

2  Core  Kernel  Interfaces  for  kernel  extension  modules 

The  ‘printf  interfaces  function  similar  to  the  C  library  ‘printf  call,  with  the  following 
limitations. 

•  Only  certain  escape  characters  (e.g.  \n,  Vr)  are  recognized.  The  allowed  escape 
characters  are  ‘\r’  and  ‘\n’.  These  escape  characters  are  used  in  the  same  manner 
as  the  C  library  ‘printf  call. 

•  Only  certain  format  specifiers  (e.g.  %d,  %s)  are  recognized.  The  allowed  format 
specifiers  are  %s,  %c,  %d,  %u,  and  %x.  These  format  specifiers  are  used  in  the 
same  manner  as  the  C  library  ‘printf  call. 

•  It  is  assumed  that  string  inputs  to  the  ‘printf  functions  will  be  NULL  (‘\0’) 
terminated  and  contain  only  ASCII  printable  characters. 

The  LPSK  does  not  support  dynamic  allocation  of  memory,  therefore  there  is  no  ‘malloc’ 
interface.  Memory  required  by  kernel  extension  modules  must  be  compiled  into  the 
kernel  extension  module,  via  data  declarations,  as  described  in  ‘Kernel  Extension  Module 
Integration  Guide’  [3]. 
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2.1  kio  _printf 

This  call  is  used  to  display  a  string  to  the  screen. 

2.1.1  Prototype 

void  kio_printf(const  char  *  const  buffer); 

2.1.2  Inputs 

•  buffer 

The  string  to  be  displayed. 

2.1.3  Outputs 

•  None 

2.1.4  Effects 

•  None 

2.1.5  Errors 

•  None 
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2.2  kio _printf_str 

This  call  is  used  to  display  a  formatted  string  to  the  screen. 

2.2.1  Prototype 

void  kio_printf_str( 

const  char  *  const  format, 
const  char  *  const  buffer); 

2.2.2  Inputs 

•  format 

The  string  containing  the  format  specifier.  The  format  specifier  (%s)  will  be 
replaced  by  the  input  buffer. 

•  buffer 

The  string  to  be  displayed,  according  to  the  format  specifier. 

2.2.3  Outputs 


•  None 


2.2.4  Effects 

•  None 


2.2.5  Errors 

•  None 
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2.3  kio _printf_int 

This  call  is  used  to  display  a  formatted  number  to  the  screen 

2.3.1  Prototype 

void  kio_printf_int( 

const  char  *  const  format, 
const  int  value); 

2.3.2  Inputs 

•  format 

The  string  containing  the  format  specifier.  The  format  specifier  (%d,  %x,  or 
%u)  will  be  replaced  by  the  string  representation  of  the  input  value. 

•  value 

The  numeric  value  to  be  displayed,  according  to  the  format  specifier. 

2.3.3  Outputs 


•  None 


2.3.4  Effects 

•  None 


2.3.5  Errors 

•  None 
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2.4  kio _printf_char 

This  call  is  used  to  display  a  formatted  character  to  the  screen. 

2.4.1  Prototype 

void  kio_printf_char( 

const  char  *  const  format, 
const  char  value); 

2.4.2  Inputs 

•  format 

The  string  containing  the  format  specifier.  The  format  specifier  (%c)  will  be 
replaced  by  the  input  character. 

•  value 

The  character  to  be  displayed,  according  to  the  format  specifier. 

2.4.3  Outputs 


•  None 


2.4.4  Effects 

•  None 


2.4.5  Errors 

•  None 
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3  SP  Emulation  Module  Interfaces  for  LPSK 


/*  This  structure  defines  the  register  state  passed  to  the  CEMInterrupt  calls  */ 
typedef  struct  { 

register  */ 
the  FS  register  */ 
the  ES  register  */ 
the  DS  register  */ 

the  CS  register  in  the  interrupt  handler  */ 
the  SS  register  in  the  interrupt  handler  */ 
the  EDI  register  */ 
the  ESI  register  */ 
the  EBP  register  */ 
the  ESP  register  */ 
the  EBX  register  */ 
the  EDX  register  */ 
the  ECX  register  */ 
the  EAX  register  */ 
the  interrupt  number  */ 
the  error  code  that  caused  the  interrupt, 
only  supported  for  interrupts 
0x08,  OxOA,  -  OxOE,  and  0x10, 
all  other  interrupts  have  0  in  this  field  */ 

/*  The  ‘plx’  fields  below  refer  to  the  register  state  at  the  time  the 
interrupt  occurred.  If  the  interrupt  occurred  inside  PLO  the 
‘ssplx’  and  ‘espplx’  fields  will  contain  0  */ 
unsigned  int  eipplx;  /*  the  IP  register  at  the  time  of  the  interrupt  */ 

unsigned  int  csplx;  /*  the  CS  register  at  the  time  of  the  interrupt  */ 

unsigned  int  eflags;  /*  the  flags  register  */ 

unsigned  int  espplx;  /*  the  ESP  register  at  the  time  of  the  interrupt  */ 

unsigned  int  ssplx;  /*  the  SS  register  at  the  time  of  the  interrupt  */ 

}registers_struct; 


unsigned  int  gs; 

/*  the 

unsigned  int  fs; 

/*  the 

unsigned  int  es; 

/*  the 

unsigned  int  ds; 

/*  the 

unsigned  int  csplO; 

/*  the 

unsigned  int  ssplO; 

/*  the 

unsigned  int  edi; 

/*  the 

unsigned  int  esi; 

/*  the 

unsigned  int  ebp; 

/*  the 

unsigned  int  esp; 

/*  the 

unsigned  int  ebx; 

/*  the 

unsigned  int  edx; 

/*  the 

unsigned  int  ecx; 

/*  the 

unsigned  int  eax; 

/*  the 

unsigned  int  intnum; 

/*  the 

unsigned  int  error  code; 

/*  the 

These  following  interfaces  are  defined  elsewhere.  [2] 

This  function  will  be  called  during  LPSK  initialization, 
int  SPHW  PowerOn  (void  *initdata); 


This  function  will  be  called  during  LPSK  shutdown,  or  halt, 
int  SPHW  PowerOff  (void  *initdata); 


This  function  will  be  called  upon  receipt  of  interrupt  number  200  (0xC8). 
SPFault  SPHW  CEMInterrupt  Suspend  ( 
void  *regs, 
size_t  regslen, 
void  *  return  ip, 

const  unsigned  int  partitionid, 
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const  unsigned  int  processid); 

This  function  will  be  called  prior  to  returning  from  the  handler  for  interrupt  number  200 
(0xC8). 

SPFault  SPHWCEMInterruptResume  ( 
void  *regs, 
size_t  regslen, 
void  * return ip, 

const  unsigned  int  partitionid, 
const  unsigned  int  processid); 

This  function  will  be  called  after  calling  an  emulated  SP  instruction  to  determine  if  a 

hardware  fault  was  generated. 

int  SPHW  CheckFault  (SPFault  fault); 
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